Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1727
Views
5
Helpful
5
Replies

Upgrade to ISE 2.2 loses Identity Groups .....

Frank Lothar Weber
Level 1
Level 1

‎02-11-2017 02:07 AM - edited ‎03-11-2019 12:27 AM

Hi, folks.

After successful upgrading from ISE 2.1 to 2.2, ISE has lost all Identity Groups (or at least does not show them):

Before upgrade (2.1):

After upgrade to 2.2:

The funny thing is:

I know a specific mac-address that has been part of the GuestEndpoints identity group, If I check on this specific mac-address (Context visibility/Endpoints) in 2.2, I still can see this mac is a member of GuestEndpoints:

But the group(s) itself is not visible/existent ...

I guess, at this time that would mean: Every authen/autho policy that has any group in it, will fail ! Including guestflow etc.... !!!

Right in this minute I am restoring a configuration backup that I took under 2.1 into the 2.2 box, hoping this

would bring the groups back up. I will continue commenting here ...

Rgs

Frank (Pretty pis...ed!)

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Rahul Govindan
VIP Alumni
VIP Alumni

‎02-11-2017 04:43 AM

Whoa. that's pretty huge. Thanks for notifying this thread. I guess 2.2 is definitely a no-go for upgrade as of now :( Let us how it goes from the restore.

Looks like we have at least one major documented issue with GUI upgrade from 2.1 p2 to 2.2.

2.1P2-> 2.2 GUI upgrade failure due to SSL exception
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc38488

Am sure many more will crop up when people start their upgrades.

0 Helpful

Frank Lothar Weber
Level 1
Level 1
In response to Rahul Govindan

‎02-11-2017 07:24 AM

Just what I was afraid of:

Neither restoring the operational backup nor restoring the config backup that was taken on v2.1 did make the groups reappear again ......

I was aware of that GUI upgrade bug you mentioned, so I did the upgrade using the CLI like stated in the 2.2 upgrade guide document.

I remember a lot of WARNINGS during the upgrade, but the update process continued and was called successful at the end ...... Nice success :-(

Maybe somebody else could run the upgrade and see how that ends, so that we can be sure that it is not related to our deployment only, but will happen in other deployments, too .. !!!

This is definitely a no-go !!!!

Rgs

Frank

0 Helpful

Frank Lothar Weber
Level 1
Level 1
In response to Frank Lothar Weber

‎02-24-2017 06:44 AM

A short update on this with additional information:

Installing ISE 2.2 from scratch and restoring a config backup taken under 2.1 does restore the identity groups !!!!

Seems like only upgrading from a 2.1 box loses the groups, fresh install does not  ......!!!

Mohammed al Baqari
Level 11
Level 11
In response to Frank Lothar Weber

‎09-05-2017 11:07 AM

FYI, the same case when upgrading from 2.2 to 2.3. I am going to rebuilt tomorrow and restore a backup

0 Helpful

Patrick Moubarak
Level 4
Level 4
In response to Mohammed al Baqari

‎09-22-2017 07:32 AM

Thanks a lot for the information.

 

I upgraded 2.1 patch 3 to patch 5 (to fix a backup bug) then took a backup and ran the upgrade to 2.2

18 hours later, I cannot SSH into the VM or access the GUI.

I actually get a login prompt via SSH and get the banner then nothing happens when I enter the password, the prompt just freezes:

 

login as: admin
BANNER...
admin@10.23.83.157's password:

 

Maybe the best strategy is a fresh 2.2 and restore

 

Patrick

0 Helpful
Customers Also Viewed These Support Documents